Encryption is a critical tool for protecting sensitive information and ensuring its confidentiality, integrity, and availability. Encryption is the process of converting information into a secure format that can only be accessed by authorized individuals or systems. It is used to secure various types of data, including text, images, audio, and video. It is essential for faculty and staff to use encryption technology to protect their sensitive data from unauthorized access, theft, interception, or modification.
CUI and ITAR
The use of encryption is particularly critical when dealing with Controlled Unclassified Information (CUI) and data subject to the International Traffic in Arms Regulations (ITAR). CUI is a category of unclassified information that requires safeguarding or dissemination controls, as mandated by law, regulation, or government-wide policy. ITAR data, on the other hand, includes sensitive information related to defense articles and services that require protection. ITAR data at MSU must be managed under a Technology Control Plan (TCP). Encryption provides a powerful means of protecting CUI and ITAR data from unauthorized access or interception, especially during transmission and storage. Failure to implement encryption measures can lead to significant legal and financial consequences, including fines and imprisonment, particularly in the context of ITAR compliance. Thus, encryption is a crucial tool in safeguarding CUI and ITAR data and ensuring compliance with relevant laws and regulations.
FIPS Validated Encryption
FIPS (Federal Information Processing Standards) validated encryption is a standard for encryption algorithms and modules used in federal agencies and other organizations that handle sensitive information. FIPS validation ensures that encryption technology meets specific security requirements set by the National Institute of Standards and Technology (NIST). To achieve FIPS validation, encryption algorithms and modules must undergo rigorous testing and evaluation to ensure that they meet the necessary security standards. The use of FIPS validated encryption can provide organizations with a high degree of confidence that their sensitive information is properly protected from unauthorized access or interception. Additionally, FIPS validated encryption is often a requirement for compliance with federal regulations, such as those set forth in the Federal Information Security Modernization Act (FISMA).
Whenever possible, use AES (Advanced Encryption Standard) for the encryption algorithm because of its strength and speed. For more information, refer to NIST's Guide to Storage Encryption Technologies For End User Devices.
Laptops and Desktops
All systems should be encrypted when working with sensitive information. If you are working with CUI or ITAR data please ensure you are using FIPS validated encryptions.
Windows
To protect sensitive data in Windows, it's essential to activate BitLocker. If you handle Controlled Unclassified Information (CUI) or data governed by the International Traffic in Arms Regulations (ITAR), it's crucial to enable FIPS mode before using BitLocker. However, if you're not working with CUI or ITAR data, it's not recommended to enable FIPS mode. To guarantee the protection of sensitive information when deemed necessary, it's highly recommended to work with your local IT department and activate BitLocker.
Apple and macOS
Enabling FileVault 2, the built-in full disk encryption tool, is crucial for protecting sensitive data on macOS computers. Apple maintains U.S. Federal Information Processing Standard (FIPS) 140-2/-3 Conformance Validation Certificates for macOS and T2 firmware as well as other certifications.
Linux
LUKS (Linux Unified Key Setup) is a popular and widely used full disk encryption tool for Linux operating systems. Using AES encryption algorithm with LUKS ensures compliance with Federal Information Processing Standards (FIPS) for data encryption.
Encrypting partitions using LUKS on an existing system typically requires reinstalling the operating system because this feature is only available during installation. To avoid any potential data loss, it is strongly recommended to have complete and functional backups of all data before beginning this process
Removable Media
Removable media refers to portable devices such as USB drives, external hard drives, and SD cards that can be easily connected to a computer system. These devices are commonly used to transfer data between devices, but they pose a significant security risk as they can be lost, stolen or accessed by unauthorized individuals. Encrypting removable media can help prevent data breaches by making it difficult for unauthorized users to access sensitive data in case the device is lost or stolen.
Self-Encrypting Removable Media
Self-encrypting removable media refers to portable storage devices that have built-in encryption capabilities, allowing data to be automatically encrypted and decrypted without requiring user intervention. When working with CUI or ITAR data, it is essential to choose a device that utilizes FIPS-validated encryption to ensure the security and confidentiality of the information.
Full-disk Encryption
Full-disk encryption is a security measure that involves encrypting all data stored on a computer's hard drive, including the operating system and system files.
- Microsoft Windows Bitlocker
- Apple macOS FileVault 2
- VeraCrypt (use the AES algorithm for FIPS compliance)
File Encryption Software
File encryption software is a type of security software that allows users to encrypt individual files or folders, making them inaccessible to unauthorized individuals.
- 7zip (use AES 256 encryption for FIPS compliance)
- Microsoft Windows EFS
- VeraCrypt (use the AES algorithm for FIPS compliance)